Python 2.7 has reached end of support
and will be deprecated
on January 31, 2026. After deprecation, you won't be able to deploy Python 2.7
applications, even if your organization previously used an organization policy to
re-enable deployments of legacy runtimes. Your existing Python
2.7 applications will continue to run and receive traffic after their
deprecation date. We recommend that
you migrate to the latest supported version of Python.
Stay organized with collections
Save and categorize content based on your preferences.
If your organization uses Shared VPC, you can
connect App Engine standard environment services directly to your Shared VPC network
by using Serverless VPC Access.
This allows a standard environment service to access resources in your
Shared VPC network, such as Compute Engine VM instances,
Memorystore instances, and any other resources with an internal IP
address.
Serverless VPC Access connectors incur a monthly charge. For more information, see Serverless VPC Access
pricing.
For Shared VPC, Serverless VPC Access connectors can be
configured in two different ways. You can either set up connectors in each
service project that has standard environment resources that need access
to your network, or you can set up shared connectors in the host project. There
are advantages to each method.
Service projects
Advantages of creating connectors in the service projects:
Isolation: Each connector has dedicated bandwidth and is unaffected by
bandwidth use of connectors in other service projects. This is good if you
have a service that experiences spikes in traffic, or if you need to ensure
that each service project is unaffected by connector use of other service
projects.
Chargebacks: Charges incurred by connectors are associated with the
service project containing the connector. This enables easier chargebacks.
Security: Allows you to follow the "principle of least privilege."
Connectors must be granted access to the resources in your Shared VPC
network that they need to reach. By creating a connector in the service
project, you can limit what the services in the project can access by using
firewall rules.
Team independence: Reduces dependency on the host project administrator.
Teams can create and manage the connectors associated with their service
project. A user with the Compute Engine
Security Admin role or a
custom Identity and Access Management (IAM) role with the
compute.firewalls.create
permission enabled for the host project must still manage firewall rules for
the connector.
Advantages of creating connectors in the host project:
Centralized network management: Aligns with the Shared VPC model
of centralizing network configuration resources in the host project.
IP address space: Preserves more of your IP address space. Connectors
require an IP address for
each instance, so having fewer connectors (and fewer instances in each
connector) uses fewer IP addresses. This is good if you are concerned about
running out of IP addresses.
Maintenance: Reduces maintenance, because each connector you create may
be used by multiple service projects. This is good if you are concerned
about maintenance overhead.
Cost for idle time: Can reduce the amount of connector idle time and
associated cost. Connectors incur costs even when they are not serving
traffic (see pricing). Having fewer
connectors may reduce the amount of resource you pay for when not serving
traffic, depending on your connector type and number of instances. This is
often cost effective if your use case involves a large number of services, and
the services are used infrequently.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eApp Engine standard environment services can connect directly to a Shared VPC network using Serverless VPC Access, enabling access to resources like Compute Engine VM instances and Memorystore instances.\u003c/p\u003e\n"],["\u003cp\u003eServerless VPC Access connectors incur a monthly charge, and they are incompatible with the URL Fetch service, requiring its disablement and discontinuation of the \u003ccode\u003eurlfetch\u003c/code\u003e library.\u003c/p\u003e\n"],["\u003cp\u003eConnectors can be configured either in each service project or in the host project, each with distinct advantages related to isolation, chargebacks, security, team independence, centralized management, IP address space, maintenance, and idle time costs.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring connectors in service projects provides benefits like dedicated bandwidth, easier chargebacks, enhanced security through least privilege, and greater team autonomy, with firewall rule management still required in the host project.\u003c/p\u003e\n"],["\u003cp\u003eSetting up connectors in the host project offers centralized network management, conserves IP address space, reduces maintenance overhead, and can lower idle time costs, especially beneficial for large numbers of infrequently used services.\u003c/p\u003e\n"]]],[],null,["# Connecting to a Shared VPC network\n\nIf your organization uses [Shared VPC](/vpc/docs/shared-vpc), you can\nconnect App Engine standard environment services directly to your Shared VPC network\nby using [Serverless VPC Access](/vpc/docs/serverless-vpc-access).\nThis allows a standard environment service to access resources in your\nShared VPC network, such as Compute Engine VM instances,\nMemorystore instances, and any other resources with an internal IP\naddress.\n\nServerless VPC Access connectors incur a monthly charge. For more information, see Serverless VPC Access\n[pricing](/vpc/pricing#serverless-vpc-pricing).\n\nIf your organization does not use Shared VPC, see\n[Connect to a VPC network](/appengine/docs/legacy/standard/python/connecting-vpc).\n\n\u003cbr /\u003e\n\n| **Note:** Serverless VPC Access is not compatible with the URL Fetch service. To use Serverless VPC Access, [disable the URL Fetch default](/appengine/docs/legacy/standard/python/sockets#making_httplib_use_sockets) and discontinue any explicit use of the [`urlfetch`](/appengine/docs/legacy/standard/python/refdocs/google.appengine.api.urlfetch) library.\n\nComparison of configuration methods\n-----------------------------------\n\nFor Shared VPC, Serverless VPC Access connectors can be\nconfigured in two different ways. You can either set up connectors in each\nservice project that has standard environment resources that need access\nto your network, or you can set up shared connectors in the host project. There\nare advantages to each method. \n\n### Service projects\n\nAdvantages of creating connectors in the service projects:\n\n- **Isolation:** Each connector has dedicated bandwidth and is unaffected by bandwidth use of connectors in other service projects. This is good if you have a service that experiences spikes in traffic, or if you need to ensure that each service project is unaffected by connector use of other service projects.\n- **Chargebacks:** Charges incurred by connectors are associated with the service project containing the connector. This enables easier chargebacks.\n- **Security:** Allows you to follow the \"principle of least privilege.\" Connectors must be granted access to the resources in your Shared VPC network that they need to reach. By creating a connector in the service project, you can limit what the services in the project can access by using firewall rules.\n- **Team independence:** Reduces dependency on the host project administrator. Teams can create and manage the connectors associated with their service project. A user with the Compute Engine [Security Admin](/compute/docs/access/iam#compute.securityAdmin) role or a custom [Identity and Access Management (IAM)](/iam) role with the [`compute.firewalls.create`](/compute/docs/reference/rest/v1/firewalls/insert#iam-permissions) permission enabled for the host project must still manage firewall rules for the connector.\n\nTo set up connectors in service projects, see\n[Configure connectors in service projects](/appengine/docs/legacy/standard/python/shared-vpc-service-projects).\n\n### Host project\n\nAdvantages of creating connectors in the host project:\n\n- **Centralized network management:** Aligns with the Shared VPC model of centralizing network configuration resources in the host project.\n- **IP address space:** Preserves more of your IP address space. Connectors require an IP address for each instance, so having fewer connectors (and fewer instances in each connector) uses fewer IP addresses. This is good if you are concerned about running out of IP addresses.\n- **Maintenance:** Reduces maintenance, because each connector you create may be used by multiple service projects. This is good if you are concerned about maintenance overhead.\n- **Cost for idle time:** Can reduce the amount of connector idle time and associated cost. Connectors incur costs even when they are not serving traffic (see [pricing](/vpc/pricing#serverless-vpc-pricing)). Having fewer connectors may reduce the amount of resource you pay for when not serving traffic, depending on your connector type and number of instances. This is often cost effective if your use case involves a large number of services, and the services are used infrequently.\n\nTo set up connectors in the host project, see\n[Configure connectors in the host project](/appengine/docs/legacy/standard/python/shared-vpc-host-project)."]]
